A solution for rapid evaluation of numerically large complex rules governing network and application transactions includes, at a network device, receiving network transaction record comprising a plurality of elements that characterize a network transaction, creating a hash of a result of concatenating the plurality of elements, and if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, blocking the network transaction or alerting a network user that a prohibited transaction has occurred.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer implemented method comprising: at a network device, receiving network transaction record comprising a plurality of elements of possibly dissimilar data types, each of the plurality of elements characterizing a network transaction; creating a hash of a result of concatenating the plurality of elements regardless of the type of each of the plurality of elements; and if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
A network device examines network transactions by creating a unique identifier (hash) for each transaction. The transaction data, which can include different types of data, is combined into a single string, and then a hash of that string is generated. This hash is then looked up in a table of known prohibited transactions. If a match is found, the device can either block the transaction or warn the user. In effect, this is a fast lookup for detecting and preventing unwanted network activity.
2. The method of claim 1 wherein the creating further comprises, for each combination of elements in the network transaction record, creating a hash.
Building upon the method of checking network transactions by creating a hash, the system generates hashes not only for the complete transaction record but also for every possible combination of data elements within that record. For instance, if a transaction has elements A, B, and C, the system calculates hashes for A, B, C, AB, AC, BC, and ABC. Each of these hashes are checked against the table of prohibited transactions, improving detection of partial or incomplete matches.
3. The method of claim 2 wherein a number of combinations of elements is reduced by eliminating combinations of elements that cannot be present in the same network transaction.
The method of creating hashes for every possible combination of data elements within a network transaction is optimized by excluding combinations that are logically impossible. The system reduces the number of combinations to hash by excluding combinations that cannot exist in a single transaction, improving efficiency.
4. The method of claim 3 wherein the combinations of elements that cannot be present in the same network transaction comprise a combination of: elements of a transaction specific to database operations; and elements of a transaction specific to file operations.
Continuing the optimization of creating hashes for combinations of network transaction elements, the system specifically avoids creating hashes for combinations that are inherently incompatible, such as data elements from database operations combined with elements from file operations. Because these element combinations are nonsensical, excluding them reduces computational load and improves efficiency of the rule evaluation.
5. The method of claim 2 wherein a number of combinations of elements is reduced by eliminating combinations of elements that include an element not found at least one rule.
Further optimizing the method of hashing combinations of network transaction elements, the system avoids creating hashes for element combinations if they include elements not found in at least one of the defined network transaction rules. If a specific element never appears in any rule, any combination containing it is irrelevant for security purposes, and thus is eliminated to reduce computational load and improve rule evaluation efficiency.
6. The method of claim 1 , further comprising: for each network transaction rule having a wild card for a portion of at least one of the plurality of elements comprising the rule, the hash is encoded as if the elements having a wild card were absent from the rule; if the hash is found, matching the network transaction against the element having the wild card; and if there is a match, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
When a network transaction rule contains a wildcard element (meaning that any value is acceptable for that element), the hashing process changes. The hash is generated *as if* the wildcard element were absent from the transaction. If this modified hash is found in the table, the system then performs a more detailed match against the original transaction data, specifically checking if the value of the wildcard element in the transaction matches the intent of the wildcard. If there is a match, the transaction is blocked or the user is alerted.
7. The method of claim 1 , further comprising: for each network transaction rule having a white list indication for a portion of at least one of the plurality of elements comprising the rule, the hash is encoded as if the elements having a wild card were absent from the rule; if the hash is found, matching the network transaction against the element having the white list element; and if there is no match, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
In a similar manner to wildcard handling, when a network transaction rule incorporates a whitelist (meaning only certain values are allowed), the hash of the transaction is generated *as if* the whitelisted element were absent. If this simplified hash is found in the table, a check is performed to verify if the actual value of the whitelist element in the transaction *does not* appear in the whitelist. If the element is not on the whitelist, then the network transaction is blocked or the user is alerted.
8. A network device comprising: a memory; and one or more processors configured to: receive network transaction record comprising a plurality of elements of possibly dissimilar data types, each of the plurality of elements characterizing a network transaction; create a hash of a result of concatenating the plurality of elements regardless of the type of each of the plurality of elements; and if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, ignore the network transaction; block the network transaction; or alert a network user that a prohibited transaction has occurred.
A network device is configured with memory and processors to monitor network transactions. The device receives transaction records containing various data types. The processor combines this data into a single string and generates a hash of that string. The processor then checks this hash against a table of prohibited transaction hashes. If a match is found, the processor is configured to either block the transaction or alert the user, thus preventing or flagging potentially harmful network activity.
9. The network device of claim 8 wherein the creating further comprises, for each combination of elements in the network transaction record, creating a hash.
Building upon the network device configuration described previously, the device generates hashes not only for the complete transaction record but also for every possible combination of data elements within that record. These are then checked against the table of prohibited transactions, improving detection of partial or incomplete matches.
10. The network device of claim 9 wherein a number of combinations of elements is reduced by eliminating combinations of elements that cannot be present in the same network transaction.
The network device is further optimized by excluding combinations that are logically impossible to reduce the number of element combinations to hash, improving efficiency. This enhances the performance of detecting and preventing unwanted network activity.
11. The network device of claim 10 wherein the combinations of elements that cannot be present in the same network transaction comprise a combination of: elements of a transaction specific to database operations; and elements of a transaction specific to file operations.
Specifically, the device avoids creating hashes for combinations that are inherently incompatible, such as data elements from database operations combined with elements from file operations. Eliminating these nonsensical element combinations reduces the computational load, improving rule evaluation efficiency.
12. The network device of claim 9 wherein a number of combinations of elements is reduced by eliminating combinations of elements that include an element not found at least one rule.
The device further optimizes by not creating hashes for element combinations that include elements not found in at least one of the defined network transaction rules. Eliminating the irrelevant element combinations reduces the computational load and improves rule evaluation efficiency, resulting in faster and more efficient monitoring.
13. The network device of claim 8 wherein the one or more processors are further configured to: for each network transaction rule having a wild card for a portion of at least one of the plurality of elements comprising the rule, encode the hash as if the elements having a wild card were absent from the rule; if the hash is found, match the network transaction against the element having the wild card; and if there is a match, ignore the network transaction; block the network transaction; or alert a network user that a prohibited transaction has occurred.
When a network transaction rule contains a wildcard element, the processor encodes the hash as if the wildcard element were absent from the rule. If this modified hash is found, the device then performs a detailed match against the original transaction data, checking the wildcard element's value. The device is configured to block or alert on a match, ensuring proper enforcement of rules with wildcard exceptions.
14. The network device of claim 8 wherein the one or more processors are further configured to: for each network transaction rule having a white list indication for a portion of at least one of the plurality of elements comprising the rule, encode the hash as if the elements having a wild card were absent from the rule; if the hash is found, match the network transaction against the element having the white list element; and if there is no match, ignore the network transaction; block the network transaction; or alert a network user that a prohibited transaction has occurred.
When a network transaction rule incorporates a whitelist, the processor encodes the hash as if the whitelisted element were absent from the rule. If this simplified hash is found, a check is performed to verify that the whitelist element in the transaction *does not* appear in the whitelist. If the element is not on the whitelist, then the device blocks or alerts on the network transaction.
15. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method, the method comprising: at a network device, receiving network transaction record comprising a plurality of elements of possibly dissimilar data types, each of the plurality of elements characterizing a network transaction; creating a hash of a result of concatenating the plurality of elements regardless of the type of each of the plurality of elements; and if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
A computer-readable storage device contains instructions that, when executed by a machine (like a server or network appliance), cause the machine to monitor network transactions. This involves receiving transaction records, combining the record data into a string, and generating a hash of that string. The hash is checked against a table of prohibited transaction hashes. The machine is further instructed to block the transaction or alert the user if a match is found, thus preventing or flagging potentially harmful network activity.
16. A network device comprising: means for, at a network device, receiving network transaction record comprising a plurality of elements of possibly dissimilar data types, each of the plurality of elements characterizing a network transaction; means for creating a hash of a result of concatenating the plurality of elements regardless of the type of each of the plurality of elements; and means for, if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
A network device includes the necessary components to receive network transaction records, combine the data elements within the record, and generate a hash of the combined data. It also includes the components to compare the generated hash against a table of hashes representing prohibited transactions. The network device can then block the transaction or alert the user if a match is found, serving as a means for detecting and preventing unwanted network activity.
17. A computer implemented method comprising: at a network device, receiving network transaction record comprising a first plurality of elements of possibly dissimilar data types, each of the first plurality of elements characterizing a network transaction; selectively removing one or more elements from the first plurality of elements according to a binary pattern to create a second plurality of elements; creating a hash of a result of concatenating the second plurality of elements regardless of the type of each of the plurality of elements; and if the hash is found in a hash table comprising, for each network transaction rule, a hash of a plurality of elements comprising the rule, ignoring the network transaction; blocking the network transaction; or alerting a network user that a prohibited transaction has occurred.
A computer-implemented method involves receiving network transaction records containing different data types. The method selectively removes elements from the record based on a binary pattern, creating a modified record. Then, it calculates a hash of the modified record's combined data. Finally, it compares this hash to a table of prohibited transaction hashes. If a match is found, the system can either block the transaction or alert the user that a prohibited transaction has occurred. This allows for flexibility in the data elements considered for the hashing and rule evaluation process.
18. A network device comprising: a memory; and one or more processors configured to: receive network transaction record comprising a first plurality of elements of possibly dissimilar data types, each of the first plurality of elements characterizing a network transaction; selectively remove one or more elements from the first plurality of elements according to a binary pattern to create a second plurality of elements; create a hash of a result of concatenating the second plurality of elements regardless of the type of each of the plurality of elements; and if the hash is found in a hash table comprising, for each network transaction rule, a hash of a plurality of elements comprising the rule, ignoring the network transaction; block the network transaction; or alert a network user that a prohibited transaction has occurred.
A network device contains memory and processors that monitor network transactions by receiving transaction records containing different data types. The processor selectively removes elements from the record based on a binary pattern, creating a modified record. Then, the processor calculates a hash of the modified record's combined data, and compares the hash to a table of hashes that represent prohibited transactions. The device then has the capacity to block or alert the user on any transaction that triggers the prohibited hashes.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 23, 2009
June 11, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.